[PATCH 01/15] spl: nand: Fix NULL-pointer dereference

Sean Anderson seanga2 at gmail.com
Sun Oct 29 15:15:23 CET 2023


On 10/28/23 23:48, Sean Anderson wrote:
> spl_nand_fit_read unconditionally accesses load->priv. Ensure it is set.
> 
> Fixes: 00e180cc513 ("spl: nand: support loading i.MX container format file")
> Fixes: 4620e8aabc1 ("spl: nand: support loading legacy image with payload compressed")
> Signed-off-by: Sean Anderson <seanga2 at gmail.com>
> ---
> 
>   common/spl/spl_nand.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/common/spl/spl_nand.c b/common/spl/spl_nand.c
> index 07916bedbb9..a19236d9e6d 100644
> --- a/common/spl/spl_nand.c
> +++ b/common/spl/spl_nand.c
> @@ -105,7 +105,7 @@ static int spl_nand_load_element(struct spl_image_info *spl_image,
>   		struct spl_load_info load;
>   
>   		load.dev = NULL;
> -		load.priv = NULL;
> +		load.priv = &offset;
>   		load.filename = NULL;
>   		load.bl_len = bl_len;
>   		load.read = spl_nand_fit_read;
> @@ -116,7 +116,7 @@ static int spl_nand_load_element(struct spl_image_info *spl_image,
>   
>   		debug("Found legacy image\n");
>   		load.dev = NULL;
> -		load.priv = NULL;
> +		load.priv = &offset;
>   		load.filename = NULL;
>   		load.bl_len = 1;
>   		load.read = spl_nand_legacy_read;

Actually, since spl_nand_legacy_read doesn't reference priv, this second hunk is
unnecessary. Actually, spl_nand_legacy_read and spl_load_legacy_img are technically buggy
since size/offset are supposed to be in units of bl_len. However, this basically just
results in extra multiplies and divides, so I don't think it's desirable. I actually have
a patch to convert everything to bytes (keeping alignment), so "fixing" this is not
necessary for the moment.

--Sean


More information about the U-Boot mailing list